CVE-2025-58158
📋 TL;DR
Harness Gitness git LFS server prior to version 3.3.0 has an arbitrary file write vulnerability due to improper path sanitization in the upload API. Authenticated attackers can write files anywhere on the filesystem, potentially compromising the server. Users of git LFS functionality in affected Harness Open Source versions are vulnerable.
💻 Affected Systems
- Harness Open Source (Gitness git LFS server)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via arbitrary file write leading to remote code execution, data exfiltration, or system takeover.
Likely Case
Unauthorized file writes to sensitive locations, configuration modification, or privilege escalation.
If Mitigated
Limited impact if proper authentication controls and network segmentation are in place, but file system integrity could still be compromised.
🎯 Exploit Status
Exploitation requires authenticated access to the git LFS API. No public exploit code is known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.0
Vendor Advisory: https://github.com/harness/harness/security/advisories/GHSA-w469-hj2f-jpr5
Restart Required: Yes
Instructions:
1. Backup your Harness configuration and data. 2. Upgrade to Harness Open Source version 3.3.0 or later. 3. Restart the Harness services. 4. Verify the upgrade was successful.
🔧 Temporary Workarounds
Disable git LFS functionality
allTemporarily disable git LFS server functionality if not required.
# Configuration depends on deployment method. Consult Harness documentation for disabling git LFS.
Restrict API access
allImplement network controls to restrict access to the git LFS API endpoints.
# Use firewall rules to limit access to git LFS API (typically port 3000) to trusted IPs only.
🧯 If You Can't Patch
- Implement strict authentication and authorization controls for all git LFS API users.
- Monitor file system changes and git LFS API logs for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check if Harness version is below 3.3.0 and git LFS is enabled in configuration.Check Version:
docker exec <harness_container> harness version # or check deployment manifest for versionVerify Fix Applied:
Confirm Harness version is 3.3.0 or higher and review the commit 21c5ce42ae13740b1cad47706c2ec85e72cc8c20 is applied.📡 Detection & Monitoring
Log Indicators:
- Unusual git LFS upload requests with crafted paths
- File write operations outside expected git LFS directories
- Authentication logs showing suspicious user activity
Network Indicators:
- HTTP POST requests to git LFS upload endpoints with unusual path parameters
- Traffic patterns indicating file upload attempts to non-standard locations
SIEM Query:
source="harness-logs" AND (message="*git-lfs*upload*" AND path!="*expected-path*")